[tor-relays] Relay operators: help improve this hardening document?

Fri Feb 6 07:52:53 UTC 2015

On 02/06/2015 12:03 AM, grarpamp wrote:
> On Thu, Feb 5, 2015 at 11:15 PM, Nick Mathewson <nickm at freehaven.net> wrote:
>> The idea is that Tor could ship with some basic recommendations, and
>> links to places to find more advice?
> 
> If it's a question that can be answered by searching "how do i
> secure and run my unix server", including anything other than
> links to such answers would seem redundant. Sure, noobs
> are out there, but it isn't efficient for application projects to
> formally provide general computer training.
> 
> If it's a question of "how do i make tor/unix run happy together
> on my server", ie: file descriptor shortages, that's a specific
> known interaction with tor itself, and thus a different situation.
> 
> The only thing I'd ship with tor are links... to two community
> maintained wiki pages, one for each class of question above.
> From there the community can write whatever faq help desired
> independant of the release process and considering external
> developments.
> 
> If there wasn't a community or wiki, then shipping any critical
> runtime dependency notes on the second class of question
> would be reasonable.
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

For what it's worth, I'm mmcc - I wrote the doc/HARDENING draft.

It did end up containing more text than we had hoped. However, I think
some of it is worthwhile. For example, the firewall rules are unique to
Tor and not entirely obvious. People also wouldn't encounter the DNS
suggestion elsewhere.

I added that version to the ticket because it was being considered for
the 0.2.6 release. I sent a similar version to the mailing lists a
couple months ago and haven't reviewed and incorporated some of the
suggestions I received, partially because I suspected that it was
already too verbose.

I'm not attached to this document, and I'm fine with it not being added.
I also like the idea of linking to a wiki page. Generally, I think we
need to make more of an effort to get security information to relay
operators. Many volunteer a VPS or home server out of curiosity, and
there isn't much of a culture of operational security among those
contributors. This could become a problem as the network matures.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150206/bd9c0525/attachment.sig>